Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Block Policy Inheritance not working as anticipated

Block Policy Inheritance not working as anticipated

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Block Policy Inheritance not working as anticipated

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   07-19-2004 at 11:42:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

 

I have a Domain Controller running Windows 2000 Server. The Domain container (root) has a GPO (Default Domian Policy) with password policies defined (complexity, history, length and age). Below the Domain container I have 3 OUs (Accounts, Domain Controllers and Groups). Only the Domain Controllers OU has it's own GPO (Default Domain Controllers Policy). This policy does not have any password policies defined.

Below the Accounts OU I have a child OU (EM Mailbox) that contains User accounts. I have one GPO set for this OU which does not have any password policies defined. I have selected the check box for "Block Policy Inheritance" under the Group Policy tab of the EM Mailbox properties.

I expected this to block the password policy settings from GPO on the Domain Container (root), but it has not worked. On the Domain Controller I have issued the following command after selecting the Block Policy Inheritance check box:

secedit /refreshpolicy machine_policy /enforce

I also restarted the Domain Controller after issueing the secedit command above.

I am still unable to create a new user account in the EM Mailbox OU without being subject to the password policies set in the GPO associated with the Domain Container (root). I need to be able to create the new user account using a password that does not meet all the password requirements set in the Domain Container's GPO.

Does anyone have any suggestions?

Thanks in advance!!

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   07-20-2004 at 06:55:16 AM
- 0 +

Archived from groups: microsoft.public.win2000.group_policy (More info?)

 

Password/account policy for domain users can only be configured at the domain level,
and any attempts to bypass it will not work. Think of it as having a permanent no
override applied to it. You would have to create another domain to have different
password/account policy. You can configure AD accounts to "not expire" in account
properties to bypass the password age setting if that helps. --- Steve

http://support.microsoft.com/defau [...] -us;255550

"bottomfeeder" <bottomfeeder@discussions.microsoft.com> wrote in message
news:5CB08C55-1367-4AA8-8950-269A80A927ED@microsoft.com...
> I have a Domain Controller running Windows 2000 Server. The Domain container
(root) has a GPO (Default Domian Policy) with password policies defined (complexity,
history, length and age). Below the Domain container I have 3 OUs (Accounts, Domain
Controllers and Groups). Only the Domain Controllers OU has it's own GPO (Default
Domain Controllers Policy). This policy does not have any password policies defined.
>
> Below the Accounts OU I have a child OU (EM Mailbox) that contains User accounts.
I have one GPO set for this OU which does not have any password policies defined. I
have selected the check box for "Block Policy Inheritance" under the Group Policy tab
of the EM Mailbox properties.
>
> I expected this to block the password policy settings from GPO on the Domain
Container (root), but it has not worked. On the Domain Controller I have issued the
following command after selecting the Block Policy Inheritance check box:
>
> secedit /refreshpolicy machine_policy /enforce
>
> I also restarted the Domain Controller after issueing the secedit command above.
>
> I am still unable to create a new user account in the EM Mailbox OU without being
subject to the password policies set in the GPO associated with the Domain Container
(root). I need to be able to create the new user account using a password that does
not meet all the password requirements set in the Domain Container's GPO.
>
> Does anyone have any suggestions?
>
> Thanks in advance!!

Reply to Anonymous
Anonymous   07-20-2004 at 12:13:03 AM
- 0 +

Archived from groups: microsoft.public.win2000.group_policy (More info?)

 

After posting this question I browsed other posts relevant to my own and found my answer:

Password policies are per domain only. This ensures that a domain will have a consistent policy across all users, thus not putting it at risk by allowing possibly weaker passwords in a portion of the domain.

It would appear that there is no way around this. If there happens to be a solution, I would appreciate hearing about it.

Thanks!!!



"bottomfeeder" wrote:

> I have a Domain Controller running Windows 2000 Server. The Domain container (root) has a GPO (Default Domian Policy) with password policies defined (complexity, history, length and age). Below the Domain container I have 3 OUs (Accounts, Domain Controllers and Groups). Only the Domain Controllers OU has it's own GPO (Default Domain Controllers Policy). This policy does not have any password policies defined.
>
> Below the Accounts OU I have a child OU (EM Mailbox) that contains User accounts. I have one GPO set for this OU which does not have any password policies defined. I have selected the check box for "Block Policy Inheritance" under the Group Policy tab of the EM Mailbox properties.
>
> I expected this to block the password policy settings from GPO on the Domain Container (root), but it has not worked. On the Domain Controller I have issued the following command after selecting the Block Policy Inheritance check box:
>
> secedit /refreshpolicy machine_policy /enforce
>
> I also restarted the Domain Controller after issueing the secedit command above.
>
> I am still unable to create a new user account in the EM Mailbox OU without being subject to the password policies set in the GPO associated with the Domain Container (root). I need to be able to create the new user account using a password that does not meet all the password requirements set in the Domain Container's GPO.
>
> Does anyone have any suggestions?
>
> Thanks in advance!!

Reply to Anonymous
Anonymous   07-20-2004 at 06:55:17 AM
- 0 +

Archived from groups: microsoft.public.win2000.group_policy (More info?)

 

Thanks Steve.

"Steven L Umbach" wrote:

> Password/account policy for domain users can only be configured at the domain level,
> and any attempts to bypass it will not work. Think of it as having a permanent no
> override applied to it. You would have to create another domain to have different
> password/account policy. You can configure AD accounts to "not expire" in account
> properties to bypass the password age setting if that helps. --- Steve
>
> http://support.microsoft.com/defau [...] -us;255550
>
> "bottomfeeder" <bottomfeeder@discussions.microsoft.com> wrote in message
> news:5CB08C55-1367-4AA8-8950-269A80A927ED@microsoft.com...
> > I have a Domain Controller running Windows 2000 Server. The Domain container
> (root) has a GPO (Default Domian Policy) with password policies defined (complexity,
> history, length and age). Below the Domain container I have 3 OUs (Accounts, Domain
> Controllers and Groups). Only the Domain Controllers OU has it's own GPO (Default
> Domain Controllers Policy). This policy does not have any password policies defined.
> >
> > Below the Accounts OU I have a child OU (EM Mailbox) that contains User accounts.
> I have one GPO set for this OU which does not have any password policies defined. I
> have selected the check box for "Block Policy Inheritance" under the Group Policy tab
> of the EM Mailbox properties.
> >
> > I expected this to block the password policy settings from GPO on the Domain
> Container (root), but it has not worked. On the Domain Controller I have issued the
> following command after selecting the Block Policy Inheritance check box:
> >
> > secedit /refreshpolicy machine_policy /enforce
> >
> > I also restarted the Domain Controller after issueing the secedit command above.
> >
> > I am still unable to create a new user account in the EM Mailbox OU without being
> subject to the password policies set in the GPO associated with the Domain Container
> (root). I need to be able to create the new user account using a password that does
> not meet all the password requirements set in the Domain Container's GPO.
> >
> > Does anyone have any suggestions?
> >
> > Thanks in advance!!
>
>
>

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Block Policy Inheritance not working as anticipated
Go to:

There are 1171 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.328 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?